California Privacy Laws

by Thomas Bookwalter, CEO FMDC

Several recent California laws significantly affect companies that do business with California residents (as customers, prospects, employees, part time workers or individual sub-contractors). These new laws impose new requirements on businesses with respect to the maintaining and sharing of personal information about California residents.

Assembly Bill 1950

AB 1950 imposes requirements on businesses that maintain personal information, in any form, about one or more California residents.

Who must comply with AB 1950?
All companies (whether located in California or not) that have confidential information about California residents, except those that are regulated by state or federal law providing greater protection to personal information than AB 1950.

Companies not subject to AB 1950 include:

  • Health care providers regulated by Confidentiality of Medical Information Act;
  • Banks and other financial institutions subject to the California Financial Information Privacy Act or GLBA; and
  • Business governed by HIPAA.

What are the requirements of AB 1950?

  • Businesses must implement and maintain security procedures to protect personal information about California residents (either customers or employees); and
  • Businesses that disclose personal information about California residents to a third party must require that the third party also have security procedures to protect the data.

Personal information. Under AB 1950, "personal information" means an individual’s:

  • First name or first initial and his or her last name, in combination with any one or more of the following data elements:
    • Social security number;
    • Driver’s license number or California identification card number;
    • Account number, credit or debit card number, in combination with any required security code, access code, or password permits access to a person’s financial account; or
    • Medical information.

Personal information does not include information that is lawfully made available to the general public from federal, state, or local government records.

Required security procedures under AB 1950. AB 1950 requires businesses to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."

Interestingly, AB 1950 excludes from its definition of "personal information" any information that is encrypted or redacted. Businesses that encrypts all personal information stored on its computers must address adequately protecting non-computer based information such as paper reports containing personal information, customer receipts. Etc.

In addition to its own security procedures, if the business discloses California resident personal information to a third party (such as a data services provider, researcher or marketing partner), the business must contractually require the third party to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, use, modification, or disclosure."

What are the consequences of failing to comply with AB 1950?
A violation of AB 1950 could subject the business to a lawsuit under California’s Unfair Competition Law. CUCL classifies "unlawful business conduct" as a form of unfair competition, and provides for civil penalties, private rights of action, and class actions against businesses engaged in such activities.

What can my business do to ensure compliance with AB 1950?
Any business (no matter where it is located) that conducts any business with California residents (as customers, employees, sub-contractors, parttime workers, etc.), should consider taking the following actions to ensure compliance unless the business is exempt from the requirements of AB 1950 as specified above:

  • Identify the kinds of personal information collected and maintained. Be sure to include paper-based as well as electronically-stored data.
  • Determine the level of risk that the potential loss or unauthorized disclosure of information poses.
  • Determine the security measures and procedures that are "reasonable."
  • Modify current policies, procedures and practices to align them with the degree of risk associated with the loss or improper disclosure of that information.

As is the case with all such procedures, it is a good idea to document this process as well as implement proof systems necessary to document that the resulting requirements are being followed consistently and reliably.

Senate Bill 27

SB 27 requires any business that discloses a customer’s personal information to a third party, for direct marketing purposes, to provide the customer, within 30 days after the customer’s request, the names and addresses of the recipients of that information and specified details regarding the information disclosed.

Who must comply with SB 27?
Every business with 20 or more full-time or part-time employees that has personal information about California residents.

What are the requirements of SB 27?
Although there are some exceptions, SB 27 generally requires any business that discloses personal information about a California resident to a third party, knowing or should have known that the third party will use the information for direct marketing, to implement a say for California residents to request and receive the details of the personal information that was shared with the third party. Other California and federal law regulates how the information should be managed.

Personal Information. The definition of personal information under SB 27 is very comprehensive. SB 27 defines personal information as "any information that, when it was disclosed [by the customer to the business], identified, described, or was able to be associated with an individual." SB 27 includes all of the following as elements in the definition of personal information:

  • An individual’s name and address;
  • Electronic mail address
  • Age or date of birth;
  • Names of children;
  • Electronic mail or other addresses of children;
  • Number of children;
  • The age or gender of children;
  • Height;
  • Weight;
  • Race;
  • Religion
  • Occupation;
  • Telephone number;
  • Education;
  • Political party affiliation;
  • Medical condition;
  • Drugs, therapies, or medical products or equipment used;
  • The kind of product the customer purchased, leased, or rented;
  • Real property purchased, leased, or rented;
  • The kind of service provided;
  • Social security number;
  • Bank account number;
  • Credit card number;
  • Debit card number;
  • Bank or investment account, debit card, or credit card balance;
  • Payment history; and
  • Information pertaining to creditworthiness, assets, income or liabilities.

For the purpose of SB 27, a "customer" is any California resident engaged in a business relationship with the company. A completed transaction is not required, merely attempted. This means that any personal information that a business collects from customers or prospects falls within the scope of this law.

Accepting customer inquiries about personal information disclosed to third parties.
Under SB 27, business that provide information to third parties that may be used for direct marketing purposes must provide customers several ways to request information:

  • Postal mail, provided that the business designates a specific mailing address to receive enquiries;
  • Electronic mail, provided that the business designates a specific electronic mail address to receive inquiries;
  • Telephone, provided that the business designates a specific toll-free telephone number to receive inquiries; and/or
  • Facsimile, provided that the business designates a specific toll-free fax number to receive inquiries.

Inform customers of their right to receive information about the disclosures.
A business that discloses information to third parties for direct marketing purposes must do at least one of the following:

  • Regularly notify employees who have customer contact of the procedures on how customers can obtain information about the disclosures;
  • Post the procedures on how customers can obtain information about the disclosures on the company’s Web site; and/or
  • Make the procedures for customers to obtain information about the disclosures readily available in written form at every place of business in California where the business or its agents have regular contact with customers.

Responding to customer inquiries about personal information disclosed to third parties.
When asked, provide all of the following in writing and free of charge within 30 days:

  • A list of the items of personal information that was disclosed to third parties for the third parties’ direct marketing purposes during the immediately preceding calendar year; and
  • The names and addresses of all of the third parties that received personal information from the business for direct marketing purposes during the preceding calendar year, and
  • Information about the third party sufficient to give customers a reasonable idea of the nature of the business of the third parties.

Limitations on requirements. Businesses that must comply SB 27 are not obligated to respond to a request from a customer more than once in calendar year.

Separately, SB 27 sets forth examples of certain arrangements deemed NOT to be disclosures to third parties for the purpose this law. These include:

  • Disclosure of personal information not used for the third party’s direct marketing purposes;
  • Disclosure of information incidental to an arrangement with a third party for the maintaining or servicing of accounts, that is not used for the third party’s direct marketing purposes;
  • Lawful disclosures to or from consumer reporting agencies; and
  • Disclosure of information to a third party for the purpose of jointly offering a product or service to the customer. In order to satisfy this exemption, all of the following requirements must be met:
    • The personal information must be disclosed pursuant to the terms of a written agreement between the discloser and the third party, for the purpose of jointly offering a product or service;
    • The agreement must provide that the receiver of the information must maintain the confidentiality of the information, and is prohibited from disclosing or using the information other than to carry out the joint offering that is the subject of the written agreement;
    • The product or service offered must be a product or service of, and be provided by, at least one of the businesses that is a party to the agreement; and
    • The product or service must clearly and conspicuously identify:
      • all of the parties that jointly offer, endorse, or sponsor the product; and
      • all of the parties that disclose and receive customer information. This should be done by way of a pre-sale disclosure to every potential customer. A business should not disclose personal information under this exemption if the customer does not in fact purchase the product or service.

What are the consequences of failing to comply with SB 27?
SB 27 specifically provides that any customer injured by a violation of this law may institute a civil action to recover damages of up to $3,000 per violation. SB 27 also authorizes a prevailing plaintiff to recover his or her reasonable attorney fees and costs. This increases the likelihood that people will bring these lawsuits against businesses.

What can my business do to ensure compliance with SB 27?
SB 27 is a complex law and has a number of exemptions in addition to those mentioned here. If your business is affected or potentially affected, seek legal counsel to understand in detail the requirements and exemptions of the law.

To ensure compliance with SB 27 incorporate its requirements into routine operations and written operating procedures. SB 27 does not permit management to create reasonable procedures based on risk. SB 27 is a disclosure statute, and, as such, its requirements are specific and mandatory.

If your business discloses information to third parties, and that information may be used for direct marketing purposes, have your procedures for this data-sharing reviewed by legal counsel to ensure compliance with SB 27 and other state and federal laws.

Copyright 2007 FMDC. All Rights Reserved.